Have a Question? Search our Knowledge Base.

Policy and Recommendations On Exposing Hosts to the Public Internet

Alex Keller
- August 31, 2016 16:24

Exposing host network services to the Internet is perilous. SoE IT strongly recommends that hosts never be exposed to unsolicited inbound connections from the Internet unless the service meets the outlined criteria below. If servers need to be accessed from outside of the Stanford network, SoE IT strongly recommends restricting that access to the Stanford VPN.

Exposing servers to the public internet may be allowed if ALL of the following criteria are met:

There is a veritable requirement to expose the network service, AND

The administrator of the host understands and accepts the associated risks, AND

The server is patched in compliance with the Stanford minimum security requirements, AND

Exposed network services are restricted to the minimum required.

Hosts that expose network services to the Internet are relentlessly attacked and successful compromises will be used to carry out a variety of illegitimate and possibly illegal activities. Our tests shows that a publicly exposed host is typically discovered and attacked within minutes of being placed on the network. It is critical that such hosts be vigilantly secured.

For more information please see the Stanford Minimum Security Standards: https://uit.stanford.edu/guide/securitystandards#security-standards-servers

SoE IT reserves the right to block and revoke exposures to the Internet if there is reason to believe such an exposure is endangering the security of the Stanford network, infrastructure, services, or data.

Please contact SoE IT Help <soeithelp@stanford.edu> if you have any questions or would like to request a security consultation.